[
https://issues.apache.org/jira/browse/RANGER-3142?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17276824#comment-17276824
]
Anchal Agarwal commented on RANGER-3142:
----------------------------------------
Thanks [~comma337] for the detailed answer. :)
I've already implemented a workaround which is similar to your approach i.e.
using the API. Since my use case requires different policies for different
groups, and my groups and users come from LDAP, I was trying to use groups in
the policies.
But because this doesn't work, I am now using the API to add users (of a group)
to the users list in the policies and this workaround is okay for now.
I hope that in the future I can use groups instead.
> Access control based on groups not working for presto plugin
> -------------------------------------------------------------
>
> Key: RANGER-3142
> URL: https://issues.apache.org/jira/browse/RANGER-3142
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 2.1.0
> Environment: ranger-2.1.0-presto-plugin.tar.gz
> presto-server-347.tar.gz
> Reporter: Anchal Agarwal
> Assignee: Pradeep Agrawal
> Priority: Major
> Attachments: image-2021-01-29-19-53-59-145.png,
> image-2021-01-29-19-54-02-248.png, image-2021-01-29-19-54-28-329.png,
> image-2021-01-29-19-54-50-303.png, image-2021-01-29-19-55-01-685.png,
> image-2021-01-29-19-59-42-929.png, image-2021-01-29-20-00-54-796.png
>
>
> I'm using ranger-2.1.0 for access control in prestosql-347.
> A policy with user list in 'allow conditions' works i.e. if I connect to
> presto with a user in the allowed list, my query returns the expected results.
> But instead of users, if I use group in the policy and try accessing presto
> with a user belonging to that group, then I'm denied access.
> {code:java}
> %presto
> show tables in default
> Query failed (#20210106_032741_00000_dddsy): Access Denied: Cannot access
> catalog hive
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
